SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4aa59ba63313cd51b983646ad146e8c577e277bd
SilverMetal/linux/build/docker/Dockerfile.builder
SysAdmin 4aa59ba633
Some checks failed
Build SilverMetal Linux ISO (reproducibility-gated) / build-and-verify (push) Failing after 11m33s
Details
fix(linux/build): non-interactive mode + visible output + key import (M1.1) 
Run #4260 cleared every harness layer and ran for 18 minutes — past
sanity-tests, prepare-build-machine, cowbuilder-setup, local-deps —
into 2100_create-debian-packages, where it died on:

    Could not check validity of signature with
    '92978A6E195E4921825F7FF0F34F09744E9F5DD9' in
    '/home/user/derivative-binary/temp_packages_debian_sid/virtualbox_7.2.8-dfsg-1.dsc'
    as public key missing!

…and then *also* hung the runner indefinitely because, on any error,
derivative-maker's exception_handler_general detected a TTY (we passed
`docker run -t`) and dropped into an interactive `read -p 'Answer? '`
prompt that nothing was ever going to answer. The orphan docker run
in turn orphaned the act_runner job container, blocking the runner
until manual cleanup.

Three coordinated fixes, validated end-to-end with docker-side smoke
tests on 10.0.0.51:

1. **Non-interactive mode without losing output visibility.**

   The original architectural goal: keep derivative-maker out of
   interactive mode (`[ -t 0 ]` must be false) AND keep the build log
   visible to docker run / Gitea Actions (PTY needed somewhere).

   Resolution:
   - `docker run -t` is kept (required for /dev/console to be a real
     PTY back to docker), but no `-i`, so fd 0 stays /dev/null.
   - docker-entrypoint.service: `StandardInput=tty-force` →
     `StandardInput=null` so the service's fd 0 is /dev/null too.
     Verified inside the container: `[ -t 0 ]` returns false.
   - entrypoint.sh now wraps the user command with an explicit
     `> /dev/console 2>&1` redirect before writing it to
     /etc/docker-entrypoint-cmd. systemd's `StandardOutput=inherit`
     does NOT propagate PID-1's stdout to services in this PID-1-
     systemd-in-container topology — the service log was going
     nowhere visible. /dev/console under `docker run -t` IS the
     allocated PTY back to docker, so the redirect surfaces the
     log to the act_runner / Gitea Actions log.
   - entrypoint.sh's `[ ! -t 0 ] && exit 1` guard removed (it
     would now always trigger).

2. **debian-keyring for reprepro source-package signature checks.**

   2100_create-debian-packages calls dm-reprepro-wrapper includedsc
   on every .dsc in temp_packages_debian_sid (including
   virtualbox_*.dsc, even for `--target iso` — see line 114 of that
   build step). reprepro verifies the dsc signature against the
   user's GPG keyring; without the maintainer keys it fails.

   Adds `debian-keyring` to Dockerfile.builder. build-inner.sh now
   imports debian-keyring.gpg / debian-maintainers.gpg /
   debian-nonupload.gpg into the user's keyring before running
   derivative-maker.

3. **BUILDER_IMAGE digest re-pinned.**

   Built natively on 10.0.0.51 (per memory: never on WSL/aarch64).
   New digest: sha256:2f680c96…f0db.

Smoke-test results (against this exact image):

    ==> START                  ← user output reaches docker stdout
    (keyring present)          ← debian-keyring imported successfully
    STDIN_NOT_TTY              ← derivative-maker WILL stay non-interactive
    ==> END                    ← clean shutdown
    docker run exit: 42        ← exit code propagates correctly on failure

Files: Dockerfile.builder, systemd-entrypoint/entrypoint.sh,
       systemd-entrypoint/docker-entrypoint.service, scripts/build.sh,
       scripts/build-inner.sh.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 14:05:49 +01:00

139 lines
5.9 KiB
Ruby
Raw Blame History

# SilverMetal Linux — reproducible-build runner image (systemd-in-container).
#
# This image is the "build host" for the ISO. derivative-maker's build
# steps assume a real systemd-managed Debian host — they call
# `systemctl restart approx-...`, `systemctl daemon-reload`, etc. and
# expect the services they configure to actually run. The clean way to
# satisfy that without a per-service whack-a-mole is to follow upstream's
# own container pattern: systemd as PID 1 inside the container, with an
# entrypoint that records the user-supplied command, masks irrelevant
# units, and execs systemd. systemd then runs `docker-entrypoint.service`
# which executes the recorded command, propagating its exit code back to
# `docker run`.
#
# The vendored systemd entrypoint files live in
# linux/build/docker/systemd-entrypoint/ and are pinned 1:1 to upstream's
# pattern (see that directory's README for the bump procedure).
#
# Pinning by digest is the only thing keeping host-toolchain drift out
# of the reproducibility gate, so do NOT replace the FROM line with a
# tag-only reference.
#
# Build & push (run on 10.0.0.51 — never on the WSL/aarch64 dev box):
# docker build \
# -f linux/build/docker/Dockerfile.builder \
# -t docker-registry.silverlabs.uk/silvermetal-builder:<commit> \
# -t docker-registry.silverlabs.uk/silvermetal-builder:latest \
# linux/build/docker
# docker push docker-registry.silverlabs.uk/silvermetal-builder:<commit>
#
# To bump the base image: replace the digest, rebuild, push, update
# BUILDER_IMAGE in linux/build/scripts/build.sh, run a full reproducibility
# check, commit all the changes together.
# debian:trixie-slim — pinned by digest.
# Resolved 2026-05-07 via `docker pull debian:trixie-slim` on 10.0.0.51.
FROM debian:trixie-slim@sha256:cedb1ef40439206b673ee8b33a46a03a0c9fa90bf3732f54704f99cb061d2c5a
ENV DEBIAN_FRONTEND=noninteractive \
LC_ALL=C.UTF-8 \
LANG=C.UTF-8 \
SOURCE_DATE_EPOCH=0 \
USER=user \
HOME=/home/user \
container=docker
# Pinned package versions. These come from the same snapshot.debian.org
# timestamp as the ISO build, so a Dockerfile rebuild against that
# snapshot produces the same toolchain bit-for-bit.
ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z"
ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z"
# Two-phase install:
# 1. Use the base image's default mirror to seed ca-certificates so
# HTTPS to snapshot.debian.org works. (slim images don't ship
# CA bundles by default.)
# 2. Pin sources.list to the snapshot and install the actual toolchain.
# Phase 1 touches deb.debian.org without a pin; that's fine because
# nothing it installs ends up in the final ISO — only the toolchain
# installed in phase 2 does, and that is fully snapshot-pinned.
#
# Package set explanation:
# - systemd / systemd-sysv / dbus / dbus-user-session
# systemd-in-container runtime; PID 1 of the build container
# - sq sqv sqop sequoia-git sequoia-chameleon-gnupg gpg-agent
# upstream's commit-signature verification stack (sq-git etc.)
# - approx
# package proxy started by 1200_prepare-build-machine; with
# systemd as PID 1, the .socket / @.service units actually fire
# - dpkg-dev fakeroot fasttrack-archive-keyring safe-rm adduser sudo
# ca-certificates git time curl lsb-release
# baseline tools derivative-maker assumes are present
# - debootstrap diffoscope-minimal dosfstools isolinux live-build
# mtools reprepro rsync squashfs-tools syslinux-common xorriso
# SilverMetal ISO toolchain (live-build chain + diff for the
# reproducibility gate)
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends ca-certificates; \
rm -f /etc/apt/sources.list.d/*; \
printf 'deb [check-valid-until=no] %s trixie main\n' "$APT_SNAPSHOT_URL" > /etc/apt/sources.list; \
printf 'deb [check-valid-until=no] %s trixie-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \
apt-get -o Acquire::Check-Valid-Until=false update; \
apt-get install -y --no-install-recommends \
systemd \
systemd-sysv \
dbus \
dbus-user-session \
sq \
sqv \
sqop \
sequoia-git \
sequoia-chameleon-gnupg \
gpg-agent \
approx \
adduser \
ca-certificates \
curl \
debian-keyring \
dpkg-dev \
fakeroot \
fasttrack-archive-keyring \
git \
gnupg \
lsb-release \
safe-rm \
sudo \
time \
debootstrap \
diffoscope-minimal \
dosfstools \
isolinux \
live-build \
mtools \
reprepro \
rsync \
squashfs-tools \
syslinux-common \
xorriso; \
apt-get clean; \
rm -rf /var/lib/apt/lists/*
# Non-root build user with passwordless sudo.
# Naming matches upstream's docker setup (USER=user, HOME=/home/user)
# so derivative-maker's docker-aware checks line up.
RUN adduser --quiet --disabled-password --home "${HOME}" --gecos "${USER},,,," "${USER}" \
&& printf '%s\n' "${USER} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/passwordless_sudo \
&& chmod 440 /etc/sudoers.d/passwordless_sudo
# systemd-in-container entrypoint — vendored from upstream's
# derivative-maker/docker/. See systemd-entrypoint/README.md.
COPY systemd-entrypoint/entrypoint.sh /usr/local/bin/entrypoint.sh
COPY systemd-entrypoint/docker-entrypoint.service /etc/systemd/system/docker-entrypoint.service
COPY systemd-entrypoint/docker-entrypoint.target /etc/systemd/system/docker-entrypoint.target
COPY systemd-entrypoint/docker-entrypoint-stop.sh /usr/bin/docker-entrypoint-stop.sh
RUN chmod +x /usr/local/bin/entrypoint.sh /usr/bin/docker-entrypoint-stop.sh
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["/bin/bash"]
Reference in New Issue View Git Blame Copy Permalink